Network Security Fundamentals [Electronic resources] نسخه متنی

Buffer Overflows

A buffer is a temporary data storage area used to store program code and data. When a program or process tries to store more data in a buffer than it was originally anticipated to hold, a buffer overflow occurs.

What is really happening during a buffer overflow? Buffers are temporary storage locations in memory (memory or buffer sizes are often measured in bytes) that are able to store a fixed amount of data in bytes. When more data is retrieved than can be stored in a buffer location, the additional information must go into an adjacent buffer, resulting in overwriting the valid data held in them.

Buffer overflows are nowadays very common security vulnerabilities. Buffer overflows are especially useful for crackers trying to infiltrate remote networks, where anonymous users try to gain access or control of a host. These types of attacks represent one of the most serious security threats on the Internet, making up the majority of all security attacks because the vulnerabilities are common and easy to exploit. The attacker has the ability to inject and execute the code on a remote system, gaining full or privileged access.

Buffer Overflow Mechanisms

Buffer overflow vulnerabilities exist in different types. But the overall goal for all buffer overflow attacks is to take over the control of a privileged program and, if possible, the host. The attacker has two tasks to achieve this goal. First, the dirty code needs to be available in the program's code address space. Second, the privileged program should jump to that particular part of the code, which ensures that the proper parameters are loaded into memory.

NOTE

The program code, or shell code, is the software that provides the interface between the human operator and the operating system of a computer. In other words, it is the command interpreter that provides a user interface to the kernel.

The first task can be achieved in two ways: by injecting the code in the right address space or by using the existing code and modifying certain parameters slightly. The second task is a little more complex because the program's control flow needs to be modified to make the program jump to the dirty code.

Buffer Overflow Protection

Several approaches can be used to defend hosts from buffer overflow vulnerabilities and attacks. The most important approach is to have a concerted focus on writing correct code.

Software development teams need to understand how to write secure applications. Tools and techniques have been developed to help programmers write pieces of code that are immune to buffer overflow attacks.

A second method is to make the data buffers (memory locations) address space of the program code nonexecutable. This type of address space makes it impossible to execute code, which might be infiltrated in the program's buffers during an attack. As previously discussed, trying to inject the code into the program's space is just one element of the buffer overflow attack. Another essential part is taking over the flow control of the program under attack. This threat can be eliminated by implementing array-bound control or array-bound checks during debugging phases of the program development. The implementation of these checks ensures that buffers stay in the correct predefined range and also verifies that buffers cannot be overflowed at all.

Countermeasures

This chapter has touched so far only on buffer overflow vulnerabilities, attacks, and some defenses. Understanding these buffer overflow mechanisms is important because they form a major part of all existing remote penetration issues in today's internetworking infrastructure. Subsequent chapters in this book refer to these remote penetration vulnerability issues and discuss more prevention and protection methods (access filters, intrusion detection systems, and auditing tools).